Is greater online shopping security bad for business?

Payments are fundamentally about trust. And as we all conduct more of our shopping online, there’s a fine line between convenience and safety. The more seamless online payments become, the more easily the wheels of commerce turn. But get online shopping security wrong and the whole system might seize up as fearful buyers withdraw from purchases.

In the Nordics, two-factor authentication is already common and it doesn’t impact sales, as long as the customer experience is smooth

In Europe, there have recently been worrying signs that the system is out of balance and digital fraudsters have been gaining the upper hand.

Scams on the rise with online payments

According to the European Central Bank, so-called card-not-present scams accounted for 73 per cent of all fraud in the euro payment area in 2016, costing €1.3 billion. These scams highlight one of the biggest problems in the digital economy: the centralised storage of customer identity and card data in online databases creates a honeypot for hackers.

By breaking into such systems and harvesting clients’ personal information, debit or credit card numbers and security codes, fraudsters can conduct their own illegitimate purchases.

If your card provider spots a dodgy-looking deal – “Did you buy a £5,000 sofa in Madrid yesterday?” – they should get in touch and refund you. But apart from the psychological shock of finding yourself the victim of a hack, the costs of poor online shopping security filter down to consumers in the form of higher card fees and interest rates.

New customer protection rules

To help address card-not-present fraud, new strong customer authentication (SCA) rules are due to come into force this month across the European Union. The idea behind SCA is that adding a second identity check, in a process called two-factor authentication, can help ensure much better online shopping security.

The additional check may be a text message sent to your phone asking you to confirm a purchase, an email, a code generated by a hardware token, or even a biometric check of the purchaser’s fingerprint or face, conducted by smartphone.

But the introduction of the new SCA rules, which form part of the EU’s Second Payment Services Directive, has generated some worrying comments about the possible knock-on effect on online commerce.

Knock-on effects on e-commerce

Payments company Stripe recently claimed that Europe’s online economy could suffer a €57-billion hit after the SCA rules take effect, equivalent to a 10 per cent reduction in overall digital shopping volumes.

Other reports are even more alarmist. A survey, conducted by Germany’s EHI institute, suggested online merchants are seeing more than a third of shoppers abandon shopping carts as a result of SCA, largely due to the complexity of the new checkout process.

Other European payments specialists are more sanguine, however, citing a recent decision by the EU to avoid an abrupt introduction of the new identification rules.

“In many countries, SCA will not be a ‘big bang’, but phased in gradually,” says Ron van Wezel, senior analyst at consultancy Aite Group. “In the UK, the Financial Conduct Authority and UK Finance have published a migration plan that extends the deadline to March 2021. With this handheld approach, the risks to ecommerce sales are properly managed in my view.”

Mr van Wezel points out that some European countries have already adopted more advanced online shopping security systems without too much fuss. “In markets such as the Nordics, two-factor authentication is already common and it doesn’t impact sales, as long as the customer experience is smooth, for example using biometrics,” he says.

Opportunities for technologists

But for the time being, we may all have to get used to a confusing free-for-all when it comes to the means by which card providers satisfy themselves of our identity.

“The belated decision to delay SCA is a relief,” says Tim Richards, head of digital payments at Consult Hyperion. “Beyond this, the bigger issue is the lack of standardisation.”

Regulators have decided not to specify any minimum technical standards for SCA, which means those handling payments are free to choose their own verification mechanisms, whether text message, email, use of a hardware dongle, mobile phone app or biometric check.

“Every issuer, acquirer or merchant has lots of freedom to implement SCA in their own way. This will create confusion in the market,” says Mr van Wezel.

But others see the new SCA rules as fertile ground for tech experts to improve online shopping security and gain new business. “We see huge opportunities in mobile-based authenticators and behavioural biometrics,” says Mr Richards.

And challenger banks, such as Monzo, Revolut and Starling, which have invested heavily in user-friendly mobile savings and spending apps, also seem well positioned to gain future market share in online payments.